Openvpn 2.6 (fingerprint setup) on CentOS 7.9
by jonaskellens from LinuxQuestions.org on (#6PNT0)
Hello
I am trying to setup (simple) openVPN with peer-fingerprint between server and client.
openVPN version:
Code:[root@server openvpn]# openvpn --version
OpenVPN 2.6.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06I followed this guide : https://github.com/openvpn/openvpn/b...ingerprint.rst
I have setup all the files :
Code:[root@server openvpn]# ls -lh /etc/openvpn/server
total 16K
-rw-------. 1 openvpn openvpn 580 Aug 1 21:21 openvpn.log
-rw-r--r--. 1 openvpn openvpn 652 Aug 1 14:16 server.conf
-rw-r--r--. 1 openvpn openvpn 635 Aug 1 14:00 server.crt
-rw-r--r--. 1 openvpn openvpn 306 Aug 1 14:00 server.keyserver.conf:
Code:[root@server openvpn]# cat /etc/openvpn/server/server.conf
# OpenVPN configuration file for VPN SERVER
port 1194
proto udp
dev tun
dh none
cert server.crt
key server.key
ifconfig 10.10.0.1 10.10.0.2
# A tun-mtu of 1400 avoids problems of too big packets after VPN encapsulation
tun-mtu 1400
keepalive 10 60
# Notify clients when you restart the server to reconnect quickly
explicit-exit-notify 1
# The fingerprints of your clients. After adding/removing one here restart the server
<peer-fingerprint>
7A:B5:74:07:AF:50:1A:D1:4F:A2:7A:A5:D1:97:64:F5:C9:5F:......
</peer-fingerprint>
user openvpn
group openvpn
log openvpn.log
verb 5When I start the service :
Code:[root@server openvpn]# systemctl status openvpn-server@server.service
openvpn-server@server.service - OpenVPN service for server
Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; disabled; vendor preset: disabled)
Active: activating (auto-restart) (Result: exit-code) since Thu 2024-08-01 21:02:00 CEST; 270ms ago
Docs: man:openvpn(8)
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 31334 ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf (code=exited, status=1/FAILURE)
Main PID: 31334 (code=exited, status=1/FAILURE)
Aug 01 21:02:00 tstv7 systemd[1]: openvpn-server@server.service: main process exited, code=exited, status=1/FAILURE
Aug 01 21:02:00 tstv7 systemd[1]: Failed to start OpenVPN service for server.
Aug 01 21:02:00 tstv7 systemd[1]: Unit openvpn-server@server.service entered failed state.
Aug 01 21:02:00 tstv7 systemd[1]: openvpn-server@server.service failed.The openvpn.log :
Code:[root@server openvpn]# cat server/openvpn.log
WARNING: Ignoring option 'dh' in tls-client mode, please only include this in your server configuration
Using certificate fingerprint to verify peer (no CA option set).
DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint.
Options error: Parameter cert_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
Use --help for more information.What am I missing here ? Seems the 'fingerprint' configuration is not well read ??
I am trying to setup (simple) openVPN with peer-fingerprint between server and client.
openVPN version:
Code:[root@server openvpn]# openvpn --version
OpenVPN 2.6.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06I followed this guide : https://github.com/openvpn/openvpn/b...ingerprint.rst
I have setup all the files :
Code:[root@server openvpn]# ls -lh /etc/openvpn/server
total 16K
-rw-------. 1 openvpn openvpn 580 Aug 1 21:21 openvpn.log
-rw-r--r--. 1 openvpn openvpn 652 Aug 1 14:16 server.conf
-rw-r--r--. 1 openvpn openvpn 635 Aug 1 14:00 server.crt
-rw-r--r--. 1 openvpn openvpn 306 Aug 1 14:00 server.keyserver.conf:
Code:[root@server openvpn]# cat /etc/openvpn/server/server.conf
# OpenVPN configuration file for VPN SERVER
port 1194
proto udp
dev tun
dh none
cert server.crt
key server.key
ifconfig 10.10.0.1 10.10.0.2
# A tun-mtu of 1400 avoids problems of too big packets after VPN encapsulation
tun-mtu 1400
keepalive 10 60
# Notify clients when you restart the server to reconnect quickly
explicit-exit-notify 1
# The fingerprints of your clients. After adding/removing one here restart the server
<peer-fingerprint>
7A:B5:74:07:AF:50:1A:D1:4F:A2:7A:A5:D1:97:64:F5:C9:5F:......
</peer-fingerprint>
user openvpn
group openvpn
log openvpn.log
verb 5When I start the service :
Code:[root@server openvpn]# systemctl status openvpn-server@server.service
openvpn-server@server.service - OpenVPN service for server
Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; disabled; vendor preset: disabled)
Active: activating (auto-restart) (Result: exit-code) since Thu 2024-08-01 21:02:00 CEST; 270ms ago
Docs: man:openvpn(8)
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 31334 ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf (code=exited, status=1/FAILURE)
Main PID: 31334 (code=exited, status=1/FAILURE)
Aug 01 21:02:00 tstv7 systemd[1]: openvpn-server@server.service: main process exited, code=exited, status=1/FAILURE
Aug 01 21:02:00 tstv7 systemd[1]: Failed to start OpenVPN service for server.
Aug 01 21:02:00 tstv7 systemd[1]: Unit openvpn-server@server.service entered failed state.
Aug 01 21:02:00 tstv7 systemd[1]: openvpn-server@server.service failed.The openvpn.log :
Code:[root@server openvpn]# cat server/openvpn.log
WARNING: Ignoring option 'dh' in tls-client mode, please only include this in your server configuration
Using certificate fingerprint to verify peer (no CA option set).
DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint.
Options error: Parameter cert_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
Use --help for more information.What am I missing here ? Seems the 'fingerprint' configuration is not well read ??